[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] New HTTP authorization attack



On 23/08/11 05:56, Mike Perry wrote:

>> FWIW, there are many ways to track a browser cross-site and across
>> restarts, even if you have javascript and cookies and flash cookies
>> disabled. I recently blogged about a bunch of them which abuse the
>> browser cache here:
>>
>> https://grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache
> 
> None of this is news.
> 
> FYI, Torbutton traditionally handled both HTTP auth and cache through
> the toggle feature. I've since realized that the toggle model was
> broken, and we've been trying to supplant it in the 2.2.x Tor Browser
> Bundles:

If you read the article, you'll see that clearing the cache on toggle
isn't enough. The cache should be completely disabled. If not, you could
visit sitea.com, then visit siteb.com, and they could easily figure out
that you're the same person. Even if you're coming from a different Tor
exit node, even if you clear cookies inbetween. That is unless you have
the patience to only visit one site at a time, and toggle off/on between
each different site visit.

-- 
Mike Cardwell https://grepular.com/  https://twitter.com/mickeyc
Professional  http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu   0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk